<?php

namespace app\behavior;

class Xss{

        public function run(&$params) {

                $referer = empty($_SERVER['HTTP_REFERER']) ? array() : array($_SERVER['HTTP_REFERER']);
                $getfilter = "'|\b(alert|confirm|prompt)\b|<[^>]*?>|^\\+\/v(8|9)|\\b(and|or)\\b.+?(>|<|=|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
                $postfilter = "^\\+\/v(8|9)|\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
                $cookiefilter = "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";

                foreach ($_GET as $key => $value) {
                        $this->StopAttack($key, $value, $getfilter);
                }
//                foreach ($_POST as $key => $value) {
//                        $this->StopAttack($key, $value, $postfilter);
//                }
                foreach ($_COOKIE as $key => $value) {
                        $this->StopAttack($key, $value, $cookiefilter);
                }
                foreach ($referer as $key => $value) {
                        $this->StopAttack($key, $value, $getfilter);
                }
        }

        private function StopAttack($StrFiltKey, $StrFiltValue, $ArrFiltReq) {
                $StrFiltValue = $this->arr_foreach($StrFiltValue);
                if (preg_match("/" . $ArrFiltReq . "/is", $StrFiltValue) == 1) {
                        $Log = new \think\Log;
                        $Log::write("操作IP: " . $_SERVER["REMOTE_ADDR"] . "操作时间: " . strftime("%Y-%m-%d %H:%M:%S") . "操作页面:" . $_SERVER["PHP_SELF"] . "提交方式: " . $_SERVER["REQUEST_METHOD"] . "提交参数: " . $StrFiltKey . "提交数据: " . $StrFiltValue);
                        header("Content-type:text/html;charset=utf-8");
                        print "<div style=\"position:fixed;top:0px;width:100%;height:100%;background-color:white;color:green;font-weight:bold;border-bottom:5px solid #999;\">您的提交带有不合法参数,谢谢合作!</div>";
                        exit();
                }
                if (preg_match("/" . $ArrFiltReq . "/is", $StrFiltKey) == 1) {
                        $Log = new \think\Log;
                        $Log::write("操作IP: " . $_SERVER["REMOTE_ADDR"] . "操作时间: " . strftime("%Y-%m-%d %H:%M:%S") . "操作页面:" . $_SERVER["PHP_SELF"] . "提交方式: " . $_SERVER["REQUEST_METHOD"] . "提交参数: " . $StrFiltKey . "提交数据: " . $StrFiltValue);
                        header("Content-type:text/html;charset=utf-8");
                        print "<div style=\"position:fixed;top:0px;width:100%;height:100%;background-color:white;color:green;font-weight:bold;border-bottom:5px solid #999;\">您的提交带有不合法参数,谢谢合作!</div>";
                        exit();
                }
        }

        function arr_foreach($arr) {
                static $str;
                if (!is_array($arr)) {
                        return $arr;
                }
                foreach ($arr as $key => $val) {

                        if (is_array($val)) {

                                $this->arr_foreach($val);
                        } else {

                                $str[] = $val;
                        }
                }
                return implode($str);
        }

}


